Configure the CSRF Protection With Spring Security 6 and Angular

preview_player
Показать описание
In this video I will implement the CSRF protection in both a Spring Boot application with Spring Security 6 and in the frontend with Angular.

I will build both projects from scratch and add the CSRF protection. I will use a stateful authentication in the backend, with cookies.

Chapters:
0:00:00 Introduction
0:02:30 Backend creation
0:07:48 CORS configuration
0:09:30 Frontend creation
0:13:16 Request the backend
0:18:47 Submit form
0:26:57 Spring Security Configuration
0:33:50 Login Form
0:41:58 HTTP client wrapper
0:45:36 CSRF Token
0:50:00 Demo
0:50:52 Conclusion

Рекомендации по теме
Комментарии
Автор

Great video! I'm using spring with CSRF disable since I can remember 😆

ferlezcano
Автор

excellent content!! I'm ont from a anglophone country but i understand without problemes

fabricemissidi
Автор

Hi, this was an amazing video on this subject.Havent seen anyone to explain how it works till now.Still i have one question remaining .From where can i learn about spring security in depth.Would be great if you can provide me some links for some resources.Thanks!

stefanfrusinoiu
Автор

Please help me!

I have permitted all endpoints using permitAll(), but only GET methods are accessible, whereas POST methods return a FORBIDDEN error " You don't have permission to access this".
If I disable CSRF in the SecurityFilterChain, then POST methods without parameters can be accessed, but if there are parameters, they still return a FORBIDDEN error

tryit
Автор

Hi, great video!! Although I still get the 403 Forbidden issue after implementing the same code as shown in video. I'm developing one angular library for which I have the Spring boot layer for all the back-end calls. I don't require the login security as it's already there for Main app, I just need the CSRF validation for api calls. Awaiting your response 😊

rajputADITYA_
Автор

but, how to secure endpoint that generate csrf token?

mhmmdnaufall
Автор

I don’t understand why the csrf was disabled in the SecurityConfig?

Our security team has pointed out that it should not be disabled in Security Config

dew_reddit
Автор

Thanks for this. i have one question: how can i test my backend with postman if i have csrf enabled? i tried getting first csrf token, but when i make post call, the csrf token of server is anredy changed..

emerk
Автор

If i will put all these codes into wordpress will it still work? I struggle to find a tutorial that could explain whole coding system behind it and i just want to secure my website

gameshow
Автор

how to set up with csrf repository for new token each request can you provide me any article for that.

sanamudash
Автор

If a backend application hosted in multiple servers, how CSRF token will be validated?

praveenpotnuru
Автор

Hi could u please a authentification with token and security in the url and verification send mail with spring and angular please ??

zayedh
Автор

Why did you use here webMvcConfigurer? In other video you said to use Cors if we are using spring security: "If you use Spring Security, it's recommended to use this way instead of WebMvcConfigurer. This way, a CorsFilter is put in place which intercepts all the requests. With WebMvcConfigurer, not all the requests are intercepted, only those from the MVC Web."

TheMrBazil
Автор

Hi man, great video! However, I facing some troubles, can you help me?

gustavosantos
Автор

excellent video!
however, the RestController "CsrfToken getCsrfToken(CsrfToken csrfToken)" fires an exception :
No primary or single unique constructor found for interface
Any idea to get around ?
Java 17
Spring Security 6.3.3

mohamedbanaouas